Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to OpenSSL-1.1.0h #19794

Closed
wants to merge 11 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
The diff you're trying to view is too large. We only load the first 3000 changed files.
59 changes: 21 additions & 38 deletions BUILDING.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,23 @@ Depending on host platform, the selection of toolchains may vary.

* Visual Studio 2017 or the Build Tools thereof

#### OpenSSL asm support

OpenSSL-1.1.0 requires the following asssembler version for use of asm
support.

* gas (GNU assembler) version 2.23 or higher
* xcode version 5.0 or higher
* llvm version 3.3 or higher
* nasm version 2.10 or higher in Windows

Otherwise, `--openssl-no-asm` is added with warning in configure.

*Note:* The forthcoming OpenSSL-1.1.1 will require higher
version. Please refer
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_ia32cap.html for
details.

## Building Node.js on supported platforms

*Note:* All prerequisites can be easily installed by following
Expand Down Expand Up @@ -241,6 +258,9 @@ Prerequisites:
* Basic Unix tools required for some tests,
[Git for Windows](http://git-scm.com/download/win) includes Git Bash
and tools which can be included in the global `PATH`.
* **Optional** (for OpenSSL assembler modules): the [NetWide Assembler](http://www.nasm.us/),
if not installed in the default location it needs to be manually added
to `PATH`.
* **Optional** (to build the MSI): the [WiX Toolset v3.11](http://wixtoolset.org/releases/)
and the [Wix Toolset Visual Studio 2017 Extension](https://marketplace.visualstudio.com/items?itemName=RobMensching.WixToolsetVisualStudio2017Extension).

Expand Down Expand Up @@ -377,44 +397,7 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)

## Building Node.js with FIPS-compliant OpenSSL

It is possible to build Node.js with the
[OpenSSL FIPS module](https://www.openssl.org/docs/fipsnotes.html) on POSIX
systems. Windows is not supported.

Building in this way does not mean the runtime is FIPS 140-2 validated, but
rather that the runtime uses a validated module. In addition, the validation for
the underlying module is only valid if it is deployed in accordance with its
[security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf).
If you need FIPS validated cryptography it is recommended that you read both
the [security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf)
and [user guide](https://openssl.org/docs/fips/UserGuide-2.0.pdf).

### Instructions

1. Obtain a copy of openssl-fips-x.x.x.tar.gz.
To comply with the security policy you must ensure the path
through which you get the file complies with the requirements
for a "secure installation" as described in section 6.6 in
the [user guide](https://openssl.org/docs/fips/UserGuide-2.0.pdf).
For evaluation/experimentation, you can simply download and verify
`openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder and `cd openssl-fips`
3. `./config`
4. `make`
5. `make install`
(NOTE: to comply with the security policy you must use the exact
commands in steps 3-5 without any additional options as per
Appendix A in the [security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf).
The only exception is that `./config no-asm` can be
used in place of `./config`, and the FIPSDIR environment variable
may be used to specify a non-standard install folder for the
validated module, as per User Guide sections 4.2.1, 4.2.2, and 4.2.3.
6. Get into Node.js checkout folder
7. `./configure --openssl-fips=/path/to/openssl-fips/installdir`
For example on ubuntu 12 the installation directory was
`/usr/local/ssl/fips-2.0`
8. Build Node.js with `make -j`
9. Verify with `node -p "process.versions.openssl"` (for example `1.0.2a-fips`)
This version of Node.js does not support FIPS.

## Building Node.js with external core modules

Expand Down
67 changes: 47 additions & 20 deletions configure
Original file line number Diff line number Diff line change
Expand Up @@ -639,6 +639,25 @@ def get_version_helper(cc, regexp):
else:
return 0

def get_nasm_version(asm):
try:
proc = subprocess.Popen(shlex.split(asm) + ['-v'],
stdin=subprocess.PIPE, stderr=subprocess.PIPE,
stdout=subprocess.PIPE)
except OSError:
warn('''No acceptable ASM compiler found!
Please make sure you have installed nasm from http://www.nasm.us
and refer BUILDING.md.''')
return 0

match = re.match(r"NASM version ([2-9]\.[0-9][0-9]+)",
proc.communicate()[0])

if match:
return match.group(1)
else:
return 0

def get_llvm_version(cc):
return get_version_helper(
cc, r"(^(?:FreeBSD )?clang version|based on LLVM) ([3-9]\.[0-9]+)")
Expand Down Expand Up @@ -677,6 +696,11 @@ def get_gas_version(cc):
# quite prepared to go that far yet.
def check_compiler(o):
if sys.platform == 'win32':
if not options.openssl_no_asm:
nasm_version = get_nasm_version('nasm')
o['variables']['nasm_version'] = nasm_version
if nasm_version == 0:
o['variables']['openssl_no_asm'] = 1
return

ok, is_clang, clang_version, gcc_version = try_check_compiler(CXX, 'c++')
Expand Down Expand Up @@ -1039,32 +1063,35 @@ def configure_v8(o):


def configure_openssl(o):
o['variables']['node_use_openssl'] = b(not options.without_ssl)
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
variables = o['variables']
variables['node_use_openssl'] = b(not options.without_ssl)
variables['node_shared_openssl'] = b(options.shared_openssl)
variables['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
if options.use_openssl_ca_store:
o['defines'] += ['NODE_OPENSSL_CERT_STORE']
if options.openssl_system_ca_path:
o['variables']['openssl_system_ca_path'] = options.openssl_system_ca_path
o['variables']['node_without_node_options'] = b(options.without_node_options)
variables['openssl_system_ca_path'] = options.openssl_system_ca_path
variables['node_without_node_options'] = b(options.without_node_options)
if options.without_node_options:
o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS']

# supported asm compiler for AVX2. See https://github.com/openssl/openssl/
# blob/OpenSSL_1_1_0-stable/crypto/modes/asm/aesni-gcm-x86_64.pl#L52-L69
openssl110_asm_supported = \
('gas_version' in variables and variables['gas_version'] >= '2.23') or \
('xcode_version' in variables and variables['xcode_version'] >= '5.0') or \
('llvm_version' in variables and variables['llvm_version'] >= '3.3') or \
('nasm_version' in variables and variables['nasm_version'] >= '2.10')

if not openssl110_asm_supported and variables['openssl_no_asm'] == 0:
warn('''openssl_no_asm is enabled due to missed or old assembler.
Please refer BUILDING.md''')
variables['openssl_no_asm'] = 1

if options.openssl_fips:
o['variables']['openssl_fips'] = options.openssl_fips
fips_dir = os.path.join('deps', 'openssl', 'fips')
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
# LINK is for Makefiles, LD/LDXX is for ninja
o['make_fips_settings'] = [
['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
['LD', fips_ld + ' <(openssl_fips)/bin/fipsld'],
['LDXX', fips_ld + ' <(openssl_fips)/bin/fipsld'],
]
else:
o['variables']['openssl_fips'] = ''
try:
os.remove('config_fips.gypi')
except OSError:
pass
print('Error: FIPS is not supported yet in this version')
exit(1)
variables['openssl_fips'] = ''

if options.without_ssl:
def without_ssl_error(option):
Expand Down
79 changes: 79 additions & 0 deletions deps/openssl/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
This has a new binding scheme in building OpenSSL-1.1.0 library with
Node.js. OpenSSL-1.1.0 uses a new build system with `Perl` for various
supported platforms. See `openssl/Configurations/README` and
`openssl/Configurations/README.design` in the OpenSSL source for
details.

In order to build OpenSSL library without `Perl` in the build of Node.js
for various supported platforms, platform dependent files (e.g. asm
and header files ) are pre-generated and stored into the
`config/archs` directory.

- `config/Makefile` and `config/generate_gypi.pl`

Makefile has supported platform list and generates and copies
platform dependent files (e.g. asm files) into arch directory with
`generate_gypi.pl`. Platform dependent gypi files also created
obtaining build information from `configdata.pm` that is generated
with `Configure` in the OpenSSL build system.

For Windows, `Configure` generates `makefile` that is only available
to `nmake` command. `config/Makefile_VC-WIN32` and
`config/Makefile_VC-WIN64A` are made by hand for the use of GNU
make. If `makefile` rules or targets are changed in the version up
of OpenSSL, they should be also updated.

- gyp and gypi files (`openssl*.{gyp,gypi}`)

`openssl.gyp` has two targets of openssl and openssl-cli referred
from `node.gyp`. They include asm and no_asm gypi files with arch
dependent gypi according to its build options and platforms. The
gyp data which is common with asm and no_asm are stored in
`openssl_common.gypi`.

- header files (`config/*.{h,h.tmpl}`)

`bn_conf.h`, `dso_conf.h` and `opensslconf.h` are platform dependent
in the OpenSSL sources. They are replaced with `config/*.h.tmpl`
files to include the file in the `../../../config/` and referred to
each arch file that depends on asm and no-asm option.

### Supported architectures for use of ASM

Here is a list of supported architectures for use of ASM in OpenSSL.

| --dest-os | --dest-cpu | OpenSSL target arch | CI |
| --------- | ---------- | -------------------- | --- |
| aix | ppc | aix-gcc | o |
| aix | ppc64 | aix64-gcc | o |
| linux | ia32 | linux-elf | o |
| linux | x32 | linux-x32 | - |
| linux | x64 | linux-x86_64 | o |
| linux | arm | linux-armv4 | o |
| linux | arm64 | linux-aarch64 | o |
| linux | ppc | linux-ppc | o |
| linux | ppc64 | linux-ppc64 | o |
| linux | ppc64(*1) | linux-ppc64le | o |
| linux | s390 | linux32-s390x | o |
| linux | s390x | linux64-s390x | o |
| mac | ia32 | darwin-i386-cc | - |
| mac | x64 | darwin64-x86-cc | o |
| win | ia32 | VC-WIN32 | - |
| win | x64 | VC-WIN64A | o |
| solaris | ia32 | solaris-x86-gcc | o |
| solaris | x64 | solaris64-x86_64-gcc | o |
| freebsd | ia32 | BSD-x86 | - |
| freebsd | x64 | BSD-x86_64 | o |
| openbsd | ia32 | BSD-x86 | - |
| openbsd | x64 | BSD-x86_64 | - |
| others | others | linux-elf | - |

(*1: This needs to be configured with the variable of node_byteorder:
little)

These are listed in [config/Makefile](config/Makefile).
Please refer [config/opensslconf_asm.h](config/opensslconf_asm.h) for details.

### Upgrading OpenSSL

Please refer [config/README.md](config/README.md).
Loading